Asked by:

Question

Deployed Lync 2010. We have a FE, and Edge and TMG. When testing we discovered that inside the firewall all works well. Outside the firewall we can enter anyone's login name and it just logs us in. When logged in as that user it prompts for credentials but
that is only to access the address book. If we click cancel we are logged into the other users account and all works except address book. inside the firewall if we change the login credentials it prompts for username and password and since I do not know the
password I cannot get in.

This seems to be a major security hole. What could be wrong with the edge? I have changed every setting to no avail. The only thing that stops this behavior is to uncheck "remote access" in the policy. Unfortunately with that setting no one can login to
Lync without connecting via VPN.

Any ideas? Its hard to troubleshoot something that doesn't throw any errors.

All replies

You have enabled external user access,and when a user,let's say UserA connected from outside,s/he not only can log in her/his own user account but also can log in Lync with any other enabled user accounts,Let's say UserB as an example, as long as s/he
enter the UserB's SIP address s/he can log in Lync with UserB's account ,right?

Would you please verify that if UserB has signed in this computer before and selected "save my password" in the first sign in?Anyway please try to do the following steps to clear the "Save my password" in Lync client and get the checkbox back in case
you are hitting this sceanrio.

1)Run Regedit.exe and locate to the registry key HKEY_CURRENT_USER\Software\Microsoft\Communicator,in the right panel find the DWORD value
SavedPassword and set the value to 1.

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

You have enabled external user access,and when a user,let's say UserA connected from outside,s/he not only can log in her/his own user account but also can log in Lync with any other enabled user accounts,Let's say UserB as an example, as long as s/he
enter the UserB's SIP address s/he can log in Lync with UserB's account ,right? Yes.

It is not cached passwords or the certificate. If I turn on my edge server and you open the Lync client on your laptop and enter my sip address you will be able to connect and see my contact list and communicate as me.

Checked all that you specified. None of that fixed the issue. Its a very odd problem. I have no idea how we managed to open that hole. Fully patched OS and fully patched Lync. BPA does not show an issue.

It's a weird issue,I haven't seen this sceanrio,seems there is something wrong with your Edge server.Did you try to remove Edge from your topology then re-deploy it again?

Meanwhile I will escalate this issue to the escalate support engineer team,if you can provide more details about your sceanrio (such as Lync topology,network map) it will more help.

However if this issue is urgent it's better to open a ticket with Microsoft and the premier support engineer will work together with you to troubleshoot this issue online.

Regards,

Sharon

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Daniel, The behavior you described is definitely not expected and as Sharon has suggested if this is a big concern for you please open a support request so that we can address it as soon as possible. Meanwhile, please try creating a new user in your
AD and enable it in Lync (Allow remote access)now use that user account to login externally (without ever loggin in on the internal network), are you able to reproduce the behavior using the new account? Also, 1. Have you tried reproducing this behavior on
a different external client ? 2. Have you tried reproducing this behavior when logged in as a non-admin user ? 2. Have you tried reproducing this behavior using a machine not joined to the domain ?

I'm working with Daniel on our external Lync authentication issues. I ran the Get-CsTrustedApplicationPool and sure enough both of our OCS 2007 servers are listed there and are both TreatAsAuthenticated. Currently all of our users are migrated to Lync 2010
and our OCS servers are turned off. What steps do we need to take to remove this from our Lync environment?

These servers are OCS 2007 front end servers. We have deployed a Lync edge server and it is not listed as a trusted server or TreatAsAuthenticated. The OCS servers are both powered off yet we can login to Lync from outside our network as any Lync user without
being prompted for authentication. Do you have any ideas what could be causing this security hole? Currently i have disabled remote user access until i can resolve the authentication issue.

I am also facing the same issue (From external, any user can login without providing passwords - but when trying from internal network, it's prompting for the password)? Have you found any solution for this?

Note: I never had any OCS Servers, first time installing in my Domain and my Edge Server is not in the trustedapplocation pool as well

hi check authendification delegation in tmg publishing rule, it must be "No delegetion, but client may authenticate directly"
if you have not it, your external client will prompts password. do as i write and it will be passed

I find this thread interesting I went to update to CU4 and found an article on the Internet claiming that it broke edge server authentication. Now, I'm beginning to believe it's not CU4 and more likely a config issue.

Hi Daniel,
I'm sure (or at least I hope) you fixed this already, but if someone else run into this issue: I have seen customers using the same certificate on the Edge internal Interface and on the next hop pool (of course with all the required SANs). If you do that, all
traffic coming from the Edge will already be trusted and there will be no prompt for external users to sign in. You should always use a dedicated certificate on the internal Edge Interface with only the internal Edge (pool) FQND as SN and no SAN.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.